ref: 44db1addd80981b1a9cbea6b8608c99592a065ea
parent: 1937b557341187eda5434a8a64da9880472c4cd4
author: Werner Lemberg <[email protected]>
date: Tue Aug 14 06:01:00 EDT 2018
[cff] Fix another segv in old engine. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9872 * src/psaux/cffdecode.c (cff_decoder_parse_charstrings) [CFF_CONFIG_OPTION_OLD_ENGINE]: Disallow invalid T1 opcodes in dictionaries.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,17 @@
2018-08-14 Werner Lemberg <[email protected]>
+ [cff] Fix another segv in old engine.
+
+ Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9872
+
+ * src/psaux/cffdecode.c (cff_decoder_parse_charstrings)
+ [CFF_CONFIG_OPTION_OLD_ENGINE]: Disallow invalid T1 opcodes in
+ dictionaries.
+
+2018-08-14 Werner Lemberg <[email protected]>
+
[cff] Fix missing error handling.
Reported as
@@ -20,7 +32,7 @@
2018-08-14 Werner Lemberg <[email protected]>
- [cff] Fix segv.
+ [cff] Fix segv in old engine.
Reported as
--- a/src/psaux/cffdecode.c
+++ b/src/psaux/cffdecode.c
@@ -860,6 +860,15 @@
case cff_op_flex1:
case cff_op_callsubr:
case cff_op_callgsubr:
+ /* depracated opcodes */
+ case cff_op_dotsection:
+ /* invalid Type 1 opcodes */
+ case cff_op_hsbw:
+ case cff_op_closepath:
+ case cff_op_callothersubr:
+ case cff_op_seac:
+ case cff_op_sbw:
+ case cff_op_setcurrentpoint:
goto MM_Error;
default: